1556329 - Assertion failure: CurrentThreadCanAccessZone(zone), at js/src/gc/Cell.h:354 with WeakMap and GC

Status: VERIFIED FIXED

(Core :: JavaScript: GC, defect, P1)

Description

[Christian Holler (:decoder)]

The following testcase crashes on mozilla-central revision 219a897031a3 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-profiling --enable-debug --enable-optimize, run with --fuzzing-safe --cpu-count=2 --ion-offthread-compile=off):

evalInWorker(`
  function feval(code) {
    eval(code);
  };
  feval(\`
    var sym4 = Symbol.match;
    function basicSweeping() {}
    var wm1 = new WeakMap();
    wm1.set(basicSweeping, sym4);
    startgc(100000, 'shrinking');
  \`);
`);

Backtrace:

received signal SIGSEGV, Segmentation fault.
#0  js::gc::TenuredCell::zone (this=<optimized out>) at js/src/gc/Cell.h:354
#1  0x0000555555de4b50 in js::gc::detail::GetZone (t=...) at js/src/gc/WeakMap-inl.h:40
#2  js::WeakMap<js::HeapPtr<JSObject*>, js::HeapPtr<JS::Value> >::markEntry (this=0x7ffff58f1e40, marker=0x7ffff58d36f8, markedCell=<optimized out>, origKey=<optimized out>) at js/src/gc/WeakMap-inl.h:136
#3  0x0000555556037fa1 in js::GCMarker::enterWeakMarkingMode (this=this@entry=0x7ffff58d36f8) at js/src/gc/Marking.cpp:2600
#4  0x00005555560815b6 in js::gc::GCRuntime::markWeakReferences<js::gc::SweepGroupZonesIter> (this=this@entry=0x7ffff58d26a8, phase=phase@entry=js::gcstats::PhaseKind::SWEEP_MARK_WEAK, budget=...) at js/src/gc/GC.cpp:4601
#5  0x0000555556038795 in js::gc::GCRuntime::markWeakReferencesInCurrentGroup (budget=..., phase=js::gcstats::PhaseKind::SWEEP_MARK_WEAK, this=0x7ffff58d26a8) at js/src/gc/GC.cpp:4634
#6  js::gc::GCRuntime::endMarkingSweepGroup (this=0x7ffff58d26a8, fop=<optimized out>, budget=...) at js/src/gc/GC.cpp:5503
#7  0x000055555608a330 in sweepaction::SweepActionSequence<js::gc::GCRuntime*, js::FreeOp*, js::SliceBudget&>::run (this=0x7ffff53354c0, args#0=0x7ffff58d26a8, args#1=0x7ffff68fc630, args#2=...) at js/src/gc/GC.cpp:6501
#8  0x000055555608cb4a in sweepaction::SweepActionRepeatFor<js::gc::SweepGroupsIter, JSRuntime*, js::gc::GCRuntime*, js::FreeOp*, js::SliceBudget&>::run (this=0x7ffff5320c40, args#0=0x7ffff58d26a8, args#1=0x7ffff68fc630, args#2=...) at js/src/gc/GC.cpp:6561
#9  0x0000555556037bfc in js::gc::GCRuntime::performSweepActions (this=this@entry=0x7ffff58d26a8, budget=...) at js/src/gc/GC.cpp:6733
#10 0x000055555604e9f6 in js::gc::GCRuntime::incrementalSlice (this=this@entry=0x7ffff58d26a8, budget=..., reason=reason@entry=JS::GCReason::DEBUG_GC, session=...) at js/src/gc/GC.cpp:7262
#11 0x000055555604f4a3 in js::gc::GCRuntime::gcCycle (this=this@entry=0x7ffff58d26a8, nonincrementalByAPI=nonincrementalByAPI@entry=false, budget=..., reason=reason@entry=JS::GCReason::DEBUG_GC) at js/src/gc/GC.cpp:7628
#12 0x000055555604fb4c in js::gc::GCRuntime::collect (this=this@entry=0x7ffff58d26a8, nonincrementalByAPI=nonincrementalByAPI@entry=false, budget=..., reason=reason@entry=JS::GCReason::DEBUG_GC) at js/src/gc/GC.cpp:7808
#13 0x00005555560519f5 in js::gc::GCRuntime::startDebugGC (this=this@entry=0x7ffff58d26a8, gckind=GC_SHRINK, budget=...) at js/src/gc/GC.cpp:7956
#14 0x0000555555c4b835 in StartGC (cx=<optimized out>, cx@entry=0x7ffff58d8000, argc=<optimized out>, vp=<optimized out>) at js/src/builtin/TestingFunctions.cpp:1277
#15 0x0000555555911d9f in CallJSNative (cx=0x7ffff58d8000, native=native@entry=0x555555c4b790 <StartGC(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/vm/Interpreter.cpp:448
[...]
#30 0x000055555587ed95 in WorkerMain (input=<optimized out>) at js/src/shell/js.cpp:4087
[...]
#34 0x00007ffff6c2c41d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:109
rax	0x555557d44000	93825034108928
rbx	0x7ffff5f3d000	140737319784448
rcx	0x555556bccd08	93825015794952
rdx	0x0	0
rsi	0x7ffff6eeb770	140737336227696
rdi	0x7ffff6eea540	140737336223040
rbp	0x7ffff68fc230	140737330004528
rsp	0x7ffff68fc220	140737330004512
r8	0x7ffff6eeb770	140737336227696
r9	0x7ffff68ff700	140737330018048
r10	0x58	88
r11	0x7ffff6b927a0	140737332717472
r12	0x7ffff68fc270	140737330004592
r13	0x7ffff68fc260	140737330004576
r14	0x7ffff68fc250	140737330004560
r15	0x7ffff58d36f8	140737313060600
rip	0x55555590d1f9 <js::gc::TenuredCell::zone() const+89>
=> 0x55555590d1f9 <js::gc::TenuredCell::zone() const+89>:	movl   $0x0,0x0
   0x55555590d204 <js::gc::TenuredCell::zone() const+100>:	ud2

Marking s-s because this involves GC.

Comment 1

[Steven DeTar [:sdetar]]

Steve, I saw this was possibly weakmap related, could help look into this bug.

Comment 2

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

autobisectjs shows this is probably related to the following changeset:

The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/37f9bd277c34
user: Steve Fink
date: Fri May 31 23:33:48 2019 +0000
summary: Bug 1167452 - Barrier weakmap operations and maintain weak keys table during incremental collections. r=jonco

Steve, is bug 1167452 a likely regressor?

Comment 3

[Steve Fink [:sfink] [:s:]]

Attachment: Bug 1556329 - Avoid values owned by another runtime r=jonco

Comment 4

[Ryan VanderMeulen [:RyanVM]]

Can we close this now that bug 1167452 has been backed out?

Comment 5

[Steve Fink [:sfink] [:s:]]

(In reply to Ryan VanderMeulen [:RyanVM] from comment #4)

Can we close this now that bug 1167452 has been backed out?

Yes. I'll incorporate the fix into the eventual landing. Shouldn't be later than the year 2038 or so. :-)

I have no idea what status to use here.

Comment 6

[Ryan VanderMeulen [:RyanVM]]

Let's just say fixed by backout :)

Comment 7

[Fuzzing Team]

JSBugMon: This bug has been automatically verified fixed.